b"                \xc2\xa0\n\n                \xc2\xa0\n\n                \xc2\xa0\n                        U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n                \xc2\xa0\n                        OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                        Results of Technical Network\n                        Vulnerability Assessment:\n                        EPA\xe2\x80\x99s National Vehicle and\n                        Fuel Emissions Laboratory\n                        Report No. 12-P-0900               September 27, 2012\n\n\n\n\nScan this mobile code\nto learn more about\nthe EPA OIG.\n\x0c Report Contributors:\t                               Rudolph M. Brevard\n                                                     Warren Brooks\n                                                     Scott Sammons\n\n\n\n\nHotline \n\nTo report fraud, waste, or abuse, contact us through one of the following methods:\n\ne-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\nphone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\nfax:       202-566-2599                                       Mailcode 2431T\nonline:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                  12-P-0900\n                                                                                                        September 27, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              Results of Technical Network Vulnerability\nWe sought to conduct network        Assessment: EPA\xe2\x80\x99s National Vehicle and Fuel\nvulnerability testing of the        Emissions Laboratory\nU.S. Environmental Protection\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s) National\nVehicle and Fuel Emissions           What We Found\nLaboratory (NVFEL) Local Area\nNetwork to identify resources       While our assessments of EPA\xe2\x80\x99s NVFEL server room found no weaknesses with\nthat contained commonly             physical controls and environmental controls, vulnerability testing of networked\nknown high-risk and medium-         resources located in the NVFEL identified Internet Protocol addresses with\nrisk vulnerabilities. We also       potentially 9 critical-risk, 70 high-risk, and 297 medium-risk vulnerabilities.\nsought to assess the physical       If not resolved, these vulnerabilities could expose EPA\xe2\x80\x99s assets to unauthorized\ncontrols and environmental          access and potentially harm the Agency\xe2\x80\x99s network. The laboratory and the Office\ncontrols around critical            of Environmental Information manage the resources located in NVFEL that\ninformation technology assets       contained these weaknesses. We found a discrepancy between the offices\nlocated in the NVFEL. We            concerning responsibility for certain equipment located in the NVFEL. However,\nconducted this audit as part of     NVFEL provided documentation which placed ownership responsibility with the\nthe annual review of EPA\xe2\x80\x99s          Office of Environmental Information and Customer Technology Solutions for the\ninformation security program as     devices in question.\nrequired by the Federal\nInformation Security                 Recommendations and Agency Corrective Actions\nManagement Act.\n                                    We recommend that the Senior Information Official within the Office of Air and\nThis report addresses the           Radiation and the Office of Environmental Information:\nfollowing EPA Goal or                 \xef\x82\xb7\t Provide the OIG a status update for every critical-risk, high-risk and\nCross-Cutting Strategy:                  medium-risk vulnerability identified by the technical scanning tool within\n                                         30 days of this report.\n\xef\x82\xb7 Strengthening EPA\xe2\x80\x99s                 \xef\x82\xb7\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security\n  Workforce and Capabilities             Self-Evaluation and Remediation Tracking system for all vulnerabilities\n                                         according to Agency procedures within 30 days of this report.\n                                      \xef\x82\xb7\t Perform a technical vulnerability assessment test of assigned networked\n                                         resources within 60 days to confirm completion of remediation activities.\n\n                                    We also recommend that the Senior Information Official within the Office of\n                                    Environmental Information:\n                                      \xef\x82\xb7 Disconnect any networked resources without documented ownership\n                                         responsibility.\n                                      \xef\x82\xb7 Complete an inventory of all Customer Technology Solutions equipment\n                                         prior to implementation of EPA's new managed desktop support system.\n\nFor further information, contact    Representatives from both offices acknowledged the existence of the\nour Office of Congressional and     vulnerabilities and stated they have begun developing corrective actions to\nPublic Affairs at (202) 566-2391.   address the risks related to these weaknesses. NVFEL reported it remediated all\n                                    high-risk vulnerabilities under its responsibility prior to the issuance of this report.\nThe full report is at:\nwww.epa.gov/oig/reports/2012/\n20120927-12-P-0900.pdf              The detailed testing results have already been provided to Agency\n                                    representatives. Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the\n                                    technical details will not be made available to the public.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                               THE INSPECTOR GENERAL\n\n\n\n\n                                       September 27, 2012\n\nMEMORANDUM\n\nSUBJECT:\t Results of Technical Network Vulnerability Assessment:\n          EPA\xe2\x80\x99s National Vehicle and Fuel Emissions Laboratory\n          Report No. 12-P-0900\n\n\nFROM:          Arthur A. Elkins, Jr.\n\nTO:            Betsy Shaw\n               Senior Information Official        \n\n               Office of Air and Radiation \n\n\n               Renee Wynn\n               Principal Deputy Assistant Administrator and Senior Information Official\n               Office of Environmental Information\n\n\nThis is our quick reaction report on the subject audit conducted by the Office of Inspector\nGeneral (OIG) of the U.S. Environmental Protection Agency (EPA). Due to the sensitive nature\nof the technical findings, we are issuing this report for urgent management remediation. The site\nassessment was conducted in conjunction with our annual audit of EPA\xe2\x80\x99s information security\nprogram as required by the Federal Information Security Management Act. This report provides\nthe summary of our security assessment of networked resources located at EPA\xe2\x80\x99s National\nVehicle and Fuel Emissions Laboratory (NVFEL) in Ann Arbor, Michigan.\n\nOur tests disclosed that networked resources at NVFEL contained potentially 9 critical-risk,\n70 high-risk, and 297 medium-risk vulnerabilities. The laboratory and Office of Environmental\nInformation (OEI) are responsible for managing resources located in NVFEL. To facilitate\nimmediate remediation actions, we provided your offices\xe2\x80\x99 representatives with the technical\nresults during our site visit. Upon receipt of the results, NVFEL representatives identified OEI\nowned devices located on site. After providing OEI with a list of these devices, OEI stated that\nsome of the devices were not under its responsibility. However, NVFEL provided documentation\nwhich placed ownership responsibility with OEI and Customer Technology Solutions for the\ndevices in question. Ultimately, NVFEL representatives plan to take responsibility for remediating\nthe vulnerabilities existing on the OEI devices in dispute. The NVFEL reported that it remediated\nall high-risk vulnerabilities under its responsibility prior to the issuance of this report.\n\n\n12-P-0900                                                                                         1\n\x0cWe reported similar concerns about computer equipment accountability in EPA OIG Report No.\n11-P-0705, EPA\xe2\x80\x99s Contract Oversight and Controls Over Personal Computers Need Improvement,\nSeptember 26, 2011. Discrepancies in ownership responsibilities of networked resources can\npotentially lead to untimely vulnerability remediation or unresolved vulnerabilities that could\nexpose EPA\xe2\x80\x99s assets to unauthorized access and potentially harm the Agency\xe2\x80\x99s network. As EPA\nmoves from Customer Technology Solutions to a new contract for its managed desktop support\nsystem, it is important to resolve any discrepancies resulting from accountability for EPA assets\nthat may be included in this new contract.\n\nWe performed this audit work from February through September 2012 at EPA\xe2\x80\x99s NVFEL in Ann\nArbor, Michigan. We performed this audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient and appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on the audit objectives. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions.\n\nWe conducted testing to identify the existence of commonly known vulnerabilities using a\ncommercially available network vulnerability assessment tool recognized by the National\nInstitute of Standards and Technology (NIST). We interviewed EPA personnel responsible for\nmanaging the networked resources located in NVFEL. We reviewed relevant EPA interim\nprocedures to obtain an understanding of the Agency\xe2\x80\x99s Automated Security Self-Evaluation and\nRemediation Tracking system used for recording identified weaknesses. We tested the Internet\nProtocol addresses associated with networked resources located in NVFEL. We used the risk\nratings provided by the vulnerability software to determine the level of harm a risk could pose to\na networked resource due to the vulnerability and accepted the results from the software tool as\nthe level of risk to EPA\xe2\x80\x99s network. Upon follow-up with your offices\xe2\x80\x99 representatives, they\nacknowledged the existence of the vulnerabilities and stated that some mitigation activities had\nalready begun related to these risks.\n\nWe performed an inspection of EPA\xe2\x80\x99s NVFEL server room with key information technology\n(IT) personnel to assess the physical controls and environmental controls around IT assets. We\ninterviewed Agency IT staff to determine the extent to which IT equipment is protected from\nphysical, environmental, and human threats. We used NIST Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems and Organizations, as the\ntemplate for evaluating IT security controls for the server rooms. We found no weaknesses\nduring the assessment.\n\nRecommendations\n\nWe recommend that the Senior Information Official within the Office of Air and Radiation\nand the Office of Environmental Information:\n\n   1.\t Provide the OIG a status update for every critical-risk, high-risk, and medium-risk\n       vulnerability identified by the technical scanning tool within 30 days of this report.\n\n\n\n12-P-0900                                                                                        2\n\x0c   2.\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security Self-\n       Evaluation and Remediation Tracking system for all vulnerabilities according to Agency\n       procedures within 30 days of this report.\n\n   3.\t Perform a technical vulnerability assessment test of assigned networked resources within\n       60 days to confirm completion of remediation activities.\n\nWe also recommend that the Senior Information Official within the Office of Environmental\nInformation:\n\n   4.\t Disconnect any networked resources without documented ownership responsibility.\n\n   5.\t Complete an inventory of all Customer Technology Solutions equipment prior to the\n       implementation of EPA's new managed desktop support system.\n\nAction Required\n\nPlease provide written responses to this report within 30 calendar days. You should include a\ncorrective action plan for agreed-upon actions, including milestone dates.\n\nDue to the sensitive nature of the report\xe2\x80\x99s technical findings, the technical details are not\nincluded in this report and will not be made available to the public. The OIG plans to post on the\nOIG\xe2\x80\x99s public website the corrective action plans that you provide to us that do not contain\nsensitive information. Therefore, we request that you provide the response to recommendation 1\nin a separate document; we will not make that response available to the public if it contains\nsensitive information.\n\nYour responses should be provided as Adobe PDF files that comply with the accessibility\nrequirements of Section 508 of the Rehabilitation Act of 1973, as amended. Except for your\nresponse to recommendation 1, which will not be posted if it contains sensitive information, your\nresponses should not contain data that you do not want to be released to the public; if those\nresponses contain such data, you should identify the data for redaction or removal.\n\nIf you or your staff have any questions regarding this report, please contact Patricia H. Hill,\nAssistant Inspector General for Mission Systems, at (202) 566-0894 or hill.patricia@epa.gov; or\nRudolph M. Brevard, Product Line Director, Information Resources Management Assessments,\nat (202) 566-0893 or brevard.rudy@epa.gov.\n\n\n\n\n12-P-0900                                                                                        3\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                    RECOMMENDATIONS                                                               POTENTIAL MONETARY\n                                                                                                                                   BENEFITS (in $000s)\n\n    Rec.    Page                          Subject                          Status1         Action Official            Planned     Claimed    Agreed-To\n    No.      No.                                                                                                     Completion   Amount      Amount\n                                                                                                                        Date\n\n     1        2     Provide the OIG a status update for every critical-      U        Senior Information Official,\n                    risk, high-risk, and medium-risk vulnerability                    Office of Air and Radiation\n                    identified by the technical scanning tool within                 and Office of Environmental\n                    30 days of this report.                                                   Information\n\n     2        3     Create plans of action and milestones in the             U        Senior Information Official,\n                    Agency\xe2\x80\x99s Automated Security Self-Evaluation and                   Office of Air and Radiation\n                    Remediation Tracking system for all vulnerabilities              and Office of Environmental\n                    according to Agency procedures within 30 days of                          Information\n                    this report.\n\n     3        3     Perform a technical vulnerability assessment test of     U        Senior Information Official,\n                    assigned networked resources within 60 days to                    Office of Air and Radiation\n                    confirm completion of remediation activities.                    and Office of Environmental\n                                                                                              Information\n\n     4        3     Disconnect any networked resources without               U       Senior Information Official,\n                    documented ownership responsibility.                              Office of Environmental\n                                                                                             Information\n\n     5        3     Complete an inventory of all Customer Technology         U       Senior Information Official,\n                    Solutions equipment prior to the implementation of                Office of Environmental\n                    EPA\xe2\x80\x99s new managed desktop support system.                                Information\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n12-P-0900                                                                                                                                                4\n\x0c                                                                                Appendix A\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAssistant Administrator for Air and Radiation\nPrincipal Deputy Assistant Administrator for Environmental Information and\n       Senior Information Official\nSenior Information Official, Office of Air and Radiation\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nSenior Agency Information Security Officer\nAudit Follow-Up Coordinator, Office of Air and Radiation\nAudit Follow-Up Coordinator, Office of Environmental Information\n\n\n\n\n12-P-0900                                                                                5\n\x0c"